4.8 KiB
keith/ForgePatch
This is a modified version of Minecraft Forge 1.16.4-25.1.32, with its Log4j version updated to 2.17.1.
The Backstory
A bit over a week ago, I decided to attempt to make a properly patched modification of the Forge version I was using prior to the Log4j bug being duscivered. It should have been as simple as modifying the version numbers specified in the Gradle build script, and rewriting any code that referenced nonexistent Log4j methods/classes.
However, I underestimated the Genius of the Minecraft Forge dev team.
See, 1.16.4 isn't officially supported by Forge anymore. I knew that going in, but I didn't want to update to 1.16.5, because that would require getting every player to update their version of Forge as well (and potentially also their mods if some broke in the transition). However, L*x M*nos and his team, in their Infinite Wisdom, decided to break the build scripts for all versions they no longer supported, and change the Maven repository URL listed in the build script to throw me off the scent. "No worries," I thought, "surely I can just change files.minecraftforge.net/maven
to maven.minecraftforge.net
in the build script and everything will work, right?" Nope - Gradle adamantly refused to look for dependencies at the new URL (which, it turns out, wasn't actually the cause of the problem, but I believed it was at this point). The hyper-intelligent superior life forms over at Forge, whose ways a lowly Earth being like me simply cannot comprehend, had hard-coded the URL in somewhere. Either that or Gradle was being a bitch. Probably both.
So, being the primitive, foolish Homo sapiens that I am, I made the mistake of asking for help in the Forge Discord. Kindly, of course, I mentioned that I was trying to build this specific version of Forge from source, and asked for assistance in fixing the build script errors. When asked why I was trying to do such a thing with an unsupported version of Forge, I mentioned that I was trying to build from source in order to update the Log4j version (since simply forcing the compiled server JAR to load 2.17.1 would crash with an exception). Second mistake. The moment I mention Log4j, it's no longer about my actual question, and instead about how I should just download 1.16.5, which still uses a version of Log4j that Apache's website advises against using - because who would want to solve a problem themselves when they can simply update their software to a version which still doesn't solve that problem? Why use your brain? Get rid of it and just download the latest version of what L*x M*nos, Holy King Of Gods, Sacred Be His Name wants you to think!!!1
Anyways, what's really funny about this whole exchange is when I cited Apache's official Web site for Log4j, which states that versions below 2.17.1 should be avoided due to security vulnerability CVE-2021-44832 (as well as CVE-2021-45105 and CVE-2021-45046, which were patched before 2.17.1 but after 2.15.0), and got a canned response saying that CVE-2021-44228 was patched in 2.15.0, and was then told to "stop arguing with the people who actually write the software I use" - which was said immediately after Gex Manuals attempted to convince me that the official Log4j website was wrong. Silly me, I forgot that the Forge developers are more highly evolved than I am, and have ascended to inhabit an alternative reality where the numbers 44228 and 44832 are equal, and denial of service vulnerabilities like CVE-2021-45105 don't exist!
I ended up putting this project on hold, since I had other, better things to do. But after picking it back up today, I realized two things. First, the files.minecraftforge.net/maven
-to-maven.minecraftforge.net
change was a complete red herring and not the actual source of the compilation problems - the Forge team had deleted the dependencies required by 1.16.4 from their Maven repository. (Not sure why. Disk space constraints, maybe?) And second, the missing dependencies were available at libraries.minecraft.net
.
Patching other versions
I may attempt to patch other versions of Forge later. If you want to try and do it yourself, here's how you need to modify build.gradle
:
- Search for
log4j
in the file, and replace the version number for both log4j-api and log4j-core with2.17.1
- In the
buildscript { repositories {} }
block at the top of the file, add a line below the existingmaven {}
block which reads:
maven { url = 'https://libraries.minecraft.net/' }
- Copy both of those lines into the
repositories {}
block inproject(':clean')
andproject(':forge')
.
To build Forge and the installer, it should be:
./gradlew forge:release
./gradlew forge:installerJar
The output will be in ./projects/forge/build/libs/
.